- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Mon, 26 Sep 2022 02:11:38 +0000
- To: public-webauthn@w3.org
From the view of an RP that has strict certification requirements, I think DPK still isn't enough to make mobile devices trustworthy because they implicitly are binding a credential to a third party account. This makes them ineligible for common criteria authentication systems. I think that for all the effort going into DPK, it's likely we'll see RP's not use it due to it's complexity, and the nature of credentials being synced and third party controlled. So my opinion @keikoit is that you should avoid MDC in high assurance scenarios, in favour of FIDO2 certified keys with strict attestation checks around the AAGUIDS in use. It is far simpler to audit and manage from a risk perspective. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1808#issuecomment-1257382933 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 26 September 2022 02:11:40 UTC